Regulation (EU) 2022/2554 covers a wide variety of financial entitiesas defined in Article 2, points (a) to (t) that differ in size, structure, internal organisation, and in the nature and complexity of their activities, and thus have increased or reduced elements of complexity or risks. To ensure that that variety is duly taken into account, any requirements as regards ICT security policies, procedures, protocols and tools, and as regards a simplified ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework, should be proportionate to that size, structure, internal organisation, nature and complexity of those financial entitiesas defined in Article 2, points (a) to (t), and to the corresponding risks.